|Publication Type||Journal Article|
|Year of Publication||2009|
|Authors||Bailey, D. V., L. Batina, D. J. Bernstein, P. Birkner, J. W. Bos, H. - Chung Chen, C. - Mou Cheng, G. van Damme, T. Güneysu, F. Gurkaynak, T. Kleinjung, C. Paar, F. Regazzoni, R. Niederhagen, P. Schwabe, L. Uhsadel, and A. Van Herrewege|
|Journal||IACR Cryptology ePrint Archive|
|Keywords||Attacks, automorphisms, binary fields, Certicom challenges, DLP, ECC, implementation, Koblitz curves, parallelized Pollard rho|
Elliptic-curve cryptography is becoming the standard public-key primitive not only for mobile devices but also for high-security applications. Advantages are the higher cryptographic strength per bit in comparison with RSA and the higher speed in implementations. To improve understanding of the exact strength of the elliptic-curve discrete-logarithm problem, Certicom has published a series of challenges. This paper describes breaking the ECC2K-130 challenge using a parallelized version of Pollard's rho method. This is a major computation bringing together the contributions of several clusters of conventional computers, PlayStation~3 clusters, computers with powerful graphics cards and FPGAs. We also give /preseestimates for an ASIC design. In particular we present * our choice and analysis of the iteration function for the rho method; * our choice of finite field arithmetic and representation; * detailed descriptions of the implementations on a multitude of platforms: CPUs, Cells, GPUs, FPGAs, and ASICs; * details about running the attack.